IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

Convert URLs to fully-qualified for HTTP redirects (#19020)

Browse Source 
* Convert URLs to fully-qualified for HTTP redirects

* forgot the tests
This commit is contained in:
Lev
2021-11-23 08:51:25 -08:00
committed by GitHub
parent 8440a754b4
commit 03f43d7ae5
3 changed files with 29 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
web/oauth.go
View File

@@ -289,6 +289,7 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
hasRedirectURL = redirectURL != ""
}
}
redirectURL = fullyQualifiedRedirectURL(c.GetSiteURLHeader(), redirectURL)
renderError := func(err *model.AppError) {
if isMobile && hasRedirectURL {
@@ -341,11 +342,6 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
return
} else { // For web
c.App.AttachSessionCookies(c.AppContext, w, r)
// If no redirect url is passed, get the default one
if !hasRedirectURL {
redirectURL = c.GetSiteURLHeader()
}
}
}
@@ -438,3 +434,15 @@ func signupWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, authURL, http.StatusFound)
}
func fullyQualifiedRedirectURL(siteURLPrefix, targetURL string) string {
parsed, _ := url.Parse(targetURL)
if parsed == nil || parsed.Scheme != "" || parsed.Host != "" {
return targetURL
}
if targetURL != "" && targetURL[0] != '/' {
targetURL = "/" + targetURL
}
return siteURLPrefix + targetURL
}

15
web/oauth_test.go
View File

@@ -805,3 +805,18 @@ func (th *TestHelper) AddPermissionToRole(permission string, roleName string) {
panic(err2)
}
}
func TestFullyQualifiedRedirectURL(t *testing.T) {
const siteURL = "https://xxx.yyy/mm"
for target, expected := range map[string]string{
"": "https://xxx.yyy/mm",
"/": "https://xxx.yyy/mm/",
"some-path": "https://xxx.yyy/mm/some-path",
"/some-path": "https://xxx.yyy/mm/some-path",
"/some-path/": "https://xxx.yyy/mm/some-path/",
} {
t.Run(target, func(t *testing.T) {
require.Equal(t, expected, fullyQualifiedRedirectURL(siteURL, target))
})
}
}

2
web/saml.go
View File

@@ -110,6 +110,7 @@ func completeSaml(c *Context, w http.ResponseWriter, r *http.Request) {
redirectURL = val
hasRedirectURL = val != ""
}
redirectURL = fullyQualifiedRedirectURL(c.GetSiteURLHeader(), redirectURL)
handleError := func(err *model.AppError) {
if isMobile && hasRedirectURL {
@@ -184,7 +185,6 @@ func completeSaml(c *Context, w http.ResponseWriter, r *http.Request) {
})
utils.RenderMobileAuthComplete(w, redirectURL)
} else {
redirectURL = c.GetSiteURLHeader() + redirectURL
http.Redirect(w, r, redirectURL, http.StatusFound)
}
return